![Page 1: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/1.jpg)
A Framework for
Automatically
Enforcing Privacy
Policies
Jean Yang MSRC / October 15, 2013
![Page 2: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/2.jpg)
Privacy matters.
People get it wrong.
![Page 3: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/3.jpg)
Many possible points of failure.
getLocation(user)
findAllUsers(location)
findTopLocations()
Only friends
can see GPS
location.
Desired Policy
Policy
Implementation
Policy
Policy
![Page 4: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/4.jpg)
Increasingly complex policies.
Only friends
can see GPS
location.
Desired Policy
who are
local
within next five
hours
![Page 5: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/5.jpg)
Jean Yang / Jeeves 5
![Page 6: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/6.jpg)
Easier if we separate policies
from other functionality.
getLocation(user)
findAllUsers(location)
findTopLocations()
Only friends
can see GPS
location.
Involves integrating with the
language semantics.
Policy Implementation Other Implementation
![Page 7: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/7.jpg)
Jean Yang / Jeeves 7
![Page 8: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/8.jpg)
| findAllUsers(MSRC)
The Jeeves Language
k
You have no friends in
this location.
Jean Yang / Jeeves 8
Associated with
policies.
![Page 9: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/9.jpg)
val loc = < gpsCoords | country(gpsCoords) >a
label a
Core Functionality
val msg: String = “Jean’s location is ” + asStr(loc)
Contextual Enforcement
print {andrey} msg “Jean’s location is N 52.19, W 0.13.”
print {rishabh} msg “Jean’s location is in the United Kingdom.”
Policies
restrict a: loc.(isNear(oc, jean))
{ low, high }
9
Sensitive Values
Jean Yang / Jeeves
Label.
Label.
Output channel.
Policies are evaluated in the
environment at time of output.
![Page 10: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/10.jpg)
Jean Yang / Jeeves 10
restrict a: loc.isNear(oc,me)
Policies may refer to
sensitive values.
Default values yield
guarantees of maximal
functionality.
Jeeves Policies
loc.addConstraint( isNear(oc, me) a == low)
Constraints
imply low.
Always a
consistent
assignment.
![Page 11: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/11.jpg)
Jeeves Execution
=
3
Faceted execution
11 Jean Yang / Jeeves
3 | 0 a
true | false a
Policy manipulation
Policies
label a
restrict a: loc.true
Constraints print {…} …
true a = low
a loc.true
false
![Page 12: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/12.jpg)
Jean Yang / Jeeves 12
![Page 13: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/13.jpg)
Jean Yang / Jeeves 13
Classical Security
Level 3:
top secret.
Level 2:
highly classified.
Level 1:
privileged information.
Lattice of
access levels.
![Page 14: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/14.jpg)
Jean Yang / Jeeves 14
Classical Security
Viewers must have access for
the highest level.
+ Level 3
Level 3
Level 0
![Page 15: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/15.jpg)
|
Jean Yang / Jeeves 15
Jeeves Security
p +
![Page 16: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/16.jpg)
Jeeves Non-Interference
Guarantee
L | H a
Given a sensitive value
all executions where a must be low
produce equivalent outputs no matter the
value of H.
16 Jean Yang / Jeeves
Takes into account when
label depends on
sensitive values!
![Page 17: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/17.jpg)
Non-Interference
in Jeeves
17 Jean Yang / Jeeves
val location = < default | actual >a
restrict a: loc.(distance(oc, location) < 25)
protected
location
viewer
Viewer within radius:
a is allowed to be high.
![Page 18: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/18.jpg)
Non-Interference
in Jeeves
18 Jean Yang / Jeeves
val location = < default | actual >a
restrict a: loc.(distance(oc, location) < 25)
protected
location
Viewer outside radius:
a must be low.
Viewer should not be
able to distinguish
actual location from any
other of these points.
viewer
![Page 19: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/19.jpg)
Implementation Overload operators for
faceted evaluation.
Policy
environment
Use an SMT
solver as a
model
finder.
mkLabel
restrict
19 Jean Yang / Jeeves
=
3 3 | 42 a
Store policies in
runtime environment
true | false a
false
![Page 20: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/20.jpg)
Jean Yang / Jeeves 20
SQL
(Squeryl) Embedded
DSL
Scalatra
frontend
PostGre
SQL Embedded
DSL
Django
frontend
Jeeves Frameworks
Python-Jeeves
source transform
![Page 21: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/21.jpg)
Case study: JConf
Jean Yang / Jeeves 21
JConf
policies
JConf
functionality
Reviewer Author
![Page 22: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/22.jpg)
User Role
Paper Title
Author
Reviews
Tags
…
Policy
Policy
Policy
Review Reviewer
Content
Policy
Policy
Context User
Stage
Po
licy
Policy
Core Program •Search papers.
•Display papers.
•Add and remove tags.
•Assign and submit reviews.
Fu
ncti
on
ali
ty
22 Jean Yang / Jeeves
Jconf Architecture
![Page 23: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/23.jpg)
Functionality vs. Policy File Total LOC Policy LOC
ConfUser.scala 212 21
PaperRecord.scala 304 75
PaperReview.scala 116 32
ConfContext.scala 6 0
Backend + Squeryl 800 0
Frontend (Scalatra) 629 0
Frontend (SSP) 798 0
Total 2865 128
23 Jean Yang / Jeeves
< 5%
![Page 24: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/24.jpg)
Current Directions.
Jeeves
runtime Database
![Page 25: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/25.jpg)
Jean Yang / Jeeves 25
What about inputs?
Reviewer A
Reviews
New
review
Reviewer B
New
review
---
Author
![Page 26: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/26.jpg)
Jean Yang / Jeeves 26
Reviewer A
Reviews
New
review
Reviewer B
New
review
Old
review
Author
Storing multiple
versions?
![Page 27: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/27.jpg)
Jean Yang / Jeeves 27
Scores
New
score New
score
Old
score
User User
User
---
User
When viewers specify
trust… Need to
additionally track
who is writing…
![Page 28: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/28.jpg)
Low-level mechanism
Jean Yang / Jeeves 28
Mutable State
42
42
42
p1
p2
p2
Associate
references
with policies
wrestrict lin.lout.
((in == alice) && isFriends (out, alice))
wrestrict lin.lout.(isFriends(in, alice))
![Page 29: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/29.jpg)
Jean Yang / Jeeves 29
Execution with
writer’s inputs
Execution without
writer’s inputs
New
score
Guarantees
![Page 30: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/30.jpg)
Write Policy Case
Studies
Jean Yang / Jeeves 30
Authentication Battleship
game
Conference
management
Notes • Support policies for confidentiality and integrity.
• Policy-agnosticism good for encoding other policies,
for instance game rules.
![Page 31: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/31.jpg)
| Jean Yang / Jeeves 31
select * from papers
where author = “Jean Yang”
authorhigh authorlow policies
p
Interfacing with the dB
![Page 32: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/32.jpg)
32
FINALLY.. I CAN FOCUS ON FUNCTIONALITY!
jeeveslang.org
![Page 33: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/33.jpg)
Jeeves Team
Jean Yang / Jeeves 33
Armando
Solar-
Lezama Thomas
Austin Cormac
Flanagan Travis
Hance
Benjamin
Shaibu
![Page 34: A Framework for Automatically Enforcing Privacy Policiesprojects.csail.mit.edu/jeeves/talks/msrc2013_jeeves.pdf · A Framework for Automatically Enforcing Privacy Policies Jean Yang](https://reader031.vdocuments.us/reader031/viewer/2022030405/5a7e90187f8b9ae9398e949d/html5/thumbnails/34.jpg)
|
Program
The Jeeves Framework
k
Jean Yang / Jeeves 34
Database
Customized
page
Customized
page